The present invention relates to improving security in computer systems. More specifically, it provides a virtual security appliance deployment tool that makes use of a library of security policy templates enabling automatic creation, configuration, and deployment of security appliances for workloads in cloud and virtualized environments without requiring that a user configure the security policy and other parameters of the instantiated security appliances.
In virtualized and cloud computing environments, complex workloads can be assembled and deployed dynamically. In the context of the present invention, the term “workload” refers to the instantiation of a virtual computing configuration including at least one virtual machine that is running an application. Conventionally, the composition, topology, and configuration parameters of complex workloads can be specified through workload definition documents (WDDs) and modified through APIs (Application Program Interfaces) offered by a cloud management stack. In the context of the present invention and as well known in the art, an API is a set of routines, protocols, and tools for building software applications which specify how software components should interact. The API set is often used when programming graphical user interface (GUI) components.
The present inventors have recognized that the automated deployment of computing workloads has not been accompanied by a corresponding automated deployment of network security controls (appliances) that provide security functionality for computing workloads. Furthermore, the network security controls are not automatically configured with appropriate security policies providing optimal protection for the workload. Currently, cloud computing environments provide ways to deploy basic network security controls like traffic firewalls that filter traffic at layers 2, 3, and 4, for example, in the form of security groups as implemented, for example, in the OpenStack cloud computing software platform exemplarily used herein to describe the concepts of the present invention. Although cloud computing environments already provide ways for deploying (virtual) security appliances, for example appliances for intrusion detection/prevention, data encryption, monitoring, and security intelligence, these deployments require that a user make appropriate settings to these highly complex (virtual) security appliances.
The present inventors have also recognized that, once these appliances are deployed, currently it is not possible to automatically drive the configuration of their security policies based on the types of workloads that have been deployed. Instead, cloudusers typically get access to the security appliance management console, set of APIs, etc., and have to use these to themselves provision the appropriate security policies for the workload they have deployed. Configuring appropriate policies for these complex security appliances, however, typically requires expert users with the appropriate skill set to apply knowledge of the workloads' security requirements to the security policies for those (virtual) security appliances.